25.7.8 Unbound blocklist source nets

Started by gpfountz, November 26, 2025, 08:28:30 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 26, 2025, 08:28:30 PM
After upgrading to 25.7.8, I configured unbound's blocklist's source nets to include my LAN and IoT networks, excluding my GUEST network.  The problem is as soon as someone on the guest network does a lookup of a blocked domain, that domain's IP lookup is cached. After this, that blocked domain's IPs are served to my LAN.

Is there a solution for this?  I know I can use a different DNS server for my GUEST network. That is what I was doing before the source nets feature was added to 25.7.8.

Thanks in advance!
November 30, 2025, 01:08:29 AM #1
Unfortunately I'm seeing the same effect. Once a domain is cached by a user in a source net that is allowed access. The users from a source net that are blocked can now retrieve a cached request. It seems that source net blocking only blocks recursive DNS not cached DNS. :(
November 30, 2025, 02:05:07 AM #2
What happens if you disable the caches?

Advanced->Message Cache Size = 0
Advanced->RRset Cache Size = 0
November 30, 2025, 11:54:01 AM #3
I'll second this!

I've done quite a bit of testing, moving from Adguardhome to unbound and its BL's. Even using the same BL's with the URL's added to unbound make them identical, I'm still getting AD's coming through when using unbound, that I don't when using Adguardhome.
A restart of Opnsense also doesn't appear to make any difference, local client dns cache and browser cache clears as well as rebooted the client.

I'll give it a second go after the next upgrade
November 30, 2025, 01:49:58 PM #4
One solution for distributing blocklists across your networks is to use RPZ.
The problem is that you have to do it manually in /usr/local/etc/unbound.opnsense.d
https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering/rpz.html
** ¯\_(ツ)_/¯ **  C'est la vie  ** ¯\_(ツ)_/¯ **
November 30, 2025, 09:30:29 PM #5 Last Edit: November 30, 2025, 10:15:32 PM by OPNenthu Reason: grammar / clarity
I haven't enabled the per-network DNSBL on my end as of yet, but for those who are seeing this- are you using dynamic IPv6 prefixes?  I'm looking at the Source Nets field and I don't know how you would even configure it for e.g. IA_PD.

AFAIK, we don't (yet) have any mechanism to track those for use in form fields like this.  Am I misinformed, or is this feature presently limited to IPv4 and IPv6 networks where the prefixes are not changing?

In any case: https://github.com/opnsense/core/issues/9474
Print
Go Up Pages1
User actions